Leaked Apple device IDs came from app developer, not FBI

A Florida publishing company has taken responsibility for the leaked Apple device identification numbers that were originally claimed to be stolen from a FBI laptop.

Paul DeHart admitted to NBC News that around 1 million unique device identifier numbers, or UDIDs, were stolen from his company’s database and not from an FBI laptop cracked by Anonymous-affiliated hacker group AntiSec. The FBI previously denied having access to UDIDs, and Apple denied sharing the numbers with the agency.

To prove his company was the source of the leak, DeHart downloaded the data released by AntiSec and compared it to that on his company’s computers. There was a 98 correlation between both batches of information, DeHart told NBC.

"That's 100 percent confidence level, it's our data," DeHart added. "As soon as we found out we were involved and victimized, we approached the appropriate law enforcement officials, and we began to take steps to come forward, clear the record and take responsibility for this.”

UDIDs are regularly used by applications run on Apple devices as a way to identify users—for example, to send iMessages and push notifications to the proper device. While they are a quick and easy way for users to interact with software (often unknowingly) the UDIDs are extremely vulnerable, reported Aldo Cortesi, a researcher who has published numerous studies on the abuse of UDID since May 2011.

DeHart was tipped off to the security breach by independent researcher David Schuetz who believes the data was stolen sometime in the last two weeks. This further contradicts AntiSec’s claims that the information was stolen in March.

BlueToad is an app developer that provides services to more than 5,000 publishers, who have released more than 10,000 titles.

The company does not have plans to notify Apple users that their UDIDs have been compromised and doesn’t believe the leak is a major risk to user security.

"Honestly, the UDID information by itself isn't harmful, as far as we know," he told NBC. "I can’t say anything is impossible, but the reality is, to push notifications to a device, you need certain keys, certain Apple credentials. You have to have a developer’s account with Apple. … So there are lots of processes in place, measures to keep the average ‘anybody’ from being able to take UDIDs and begin doing something with that information."